Malware Analysis Analysis of a Botnet Takeover This article describes an effort to take control of a particularly sophisticated and insidious botnet and study its operations for a period of 10 days. It summarizes what the authors learned and reports on what has happened to that botnet since. BRETT otnets, networks of malware-infected ma- Torpig STONE-GROss, chines (bots) controlled by an adversary, Life Cycle MARCO COVA, are the root cause of a large number of In- On the surface, BOB GILBERT, ternet security problems. They’re the pri- Torpig is one RICHARD Bmary way cybercriminals carry out their nefarious of many Trojan horses infesting today’s Internet. KEMMERER, tasks, such as sending spam, launching denial-of-ser- However, the sophisticated techniques it uses to CHRISTOPHER vice attacks, or stealing personal data. A particularly steal data from its victims, the complex network KRUEGEL, sophisticated and insidious variety is called Torpig, infrastructure it relies on, and the vast financial AND GIOVANNI malware designed to harvest sensitive information damage that it causes set Torpig apart from other VIGNA such as bank account and credit-card data from its malware. A review of the Torpig life cycle, shown in University victims. Figure 1, illustrates the nature of the threat. of California, To learn more about how botnets operate and Torpig’s victims acquire the malware as part of the Santa Barbara what information they collect—particularly, in the Mebroot rootkit, which takes control of a machine by case of centralized IRC- and HTTP-based bot- replacing the system’s Master Boot Record (MBR). nets—you can attempt to hijack the entire botnet. In Attackers modify legitimate but vulnerable webpages this article, we describe our experience with actively (step 1 in Figure 1) with the inclusion of HTML tags seizing control of the Torpig (also called Sinowal that cause the victim’s browser to request JavaScript or Anserin) botnet and studying its operations for code (step 2) from a webpage under the attackers’ con- 10 days. During this time, we observed more than trol (step 3)—a so-called drive-by download attack1. 180,000 infections and recorded almost 70 Gbytes of The JavaScript launches exploits against the browser data. Although Torpig typically targets bank account or some of its components, such as ActiveX controls and credit-card data, we found that it also steals a va- and plugins. If any exploit is successful, the victim’s riety of other personal information. Ultimately, we machine downloads and executes a program from the were able to determine the botnet’s size precisely and drive-by download server. The victim’s machine then compare our results to alternative ways of counting becomes a bot (step 4). botnet populations. The data provides a vivid dem- Mebroot has no malicious capability on its own. onstration of the threat that botnets in general and Instead, it provides a generic platform that installs, Torpig in particular present to today’s Internet. We uninstalls, and activates other modules (such as DLLs). also report on what has happened in the time that has Mebroot initially contacts the Mebroot command- passed since we lost control of the Torpig botnet and and-control (C&C) server to obtain malicious mod- discuss some of the ethical and legal considerations of ules (step 5). It places these modules, in encrypted this type of research. form, in the system32 directory so that if the user 18 COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SocIETIES 1540-7993/11/$26.00 © 2011 IEEE JANUARY/FEBRUARY 2011 Malware Analysis reboots the machine, it can reuse them immediately Mebroot without having to contact the C&C server. It also C&C timestamps the modules and names them after exist- Mebroot server Torpig ing files in the same directory (with a different, ran- Drive-by-download C&C dom extension) to avoid raising suspicion. After the server server initial update, Mebroot contacts its C&C server pe- riodically, in two-hour intervals, to report its current Hijacked configuration (that is, the type and version number component of the currently installed modules) and to receive any 5 updates. All communication with the C&C server oc- Torpig Compromised Injection curs via HTTP requests and responses using a sophis- 3 4 DLLs Web server server ticated, custom encryption algorithm. GET/ gnh5.exe 6 In the case of the Torpig botnet, the Mebroot ?gnh5 Stolen Conguration C&C server distributes the Torpig malware modules, data and Mebroot injects them into some number of ap- 2 Redirection plications. These might include the Service Control URL Manager (ser vices.exe), the file manager, Web Phishing 1 GET/ 7 HTML browsers (for example, Microsoft Internet Explorer, Becomes a bot Firefox, and Opera), FTP clients (such as CuteFTP and LeechFTP), email clients (such as Thunderbird, Outlook, and Eudora), instant messengers (for exam- Victim Bot ple, Skype and ICQ), and system programs (such as the command line interpreter cmd.exe). After the injection, Torpig can inspect all the data handled by Figure 1. The Torpig network infrastructure. Shaded in gray are the the infected programs and identify and store interest- components owned by the criminals. The Torpig command-and-control ing pieces of information, such as credentials for on- server is the component that we “hijacked.” Step 1: Attackers modify line accounts and stored passwords. vulnerable webpages. Step 2: Modified page redirects victim’s browser to Every 20 minutes Torpig contacts the Torpig C&C drive-by download server. Step 3: Vulnerable browser requests JavaScript. server to upload stolen data (step 6). This communica- Step 4: Victim downloads and executes Mebroot to become a bot. Step 5: tion with the server also occurs over HTTP, protected Bot obtains Torpig modules. Step 6: Bot uploads data stolen from victim’s by a simple obfuscation mechanism based on XORing computer. Step 7: When browsing a targeted site, victim is redirected to the clear text with an 8-byte key and base64 encoding HTML injection server for man-in-the-browser attack. the result. (Security researchers broke this scheme at the end of 2008, and tools are now available to auto- mate the decryption, such as Don Jackson’s Untorpig, fies a trigger page on the target domain to instigate the available from http://www.secureworks.com/re- attack (typically the site’s login page), a URL on the search/tools/untorpig/.) The C&C server can reply to injection server that contains the phishing content a bot in one of several ways. The server can simply ac- (the injection URL), and several parameters for fine- knowledge the data in what we call an okn response, tuning the attack (for example, specifying whether the because of the string contained in the server’s reply. attack is active and the maximum number of times The C&C server can also send a configuration file to to launch it). The second step occurs when the user the bot (we call this an okc response), obfuscated by visits the trigger page: Torpig requests the injection a simple XOR-11 encoding. This file specifies how URL from the injection server and puts the returned often the bot should contact the C&C server, a set of content into the user’s browser (step 7). This content hard-coded servers to be used as backup, and a set of typically consists of an HTML form that asks the user parameters to perform “man-in-the-browser” phish- for sensitive information, such as credit-card and so- ing attacks. cial security numbers. Torpig uses phishing attacks to actively elicit ad- Even attentive users find these phishing attacks dif- ditional, sensitive information from its victims beyond ficult to detect. The injected content carefully repro- that which it might acquire during the passive moni- duces the target webpage’s style and “look and feel,” toring it normally performs. These attacks occur in and the injection mechanism defies all phishing indi- two steps. First, whenever the infected machine visits cators included in modern browsers. For example, the one of the domains specified in the configuration file SSL configuration appears correct, as does the URL (typically a banking webpage), Torpig issues a request displayed in the address bar, as shown in Figure 2, a to an injection server. The server’s response identi- screenshot of a Torpig phishing page for Chase Bank. www.computer.org/security 19 Malware Analysis uses a domain generation algorithm (DGA) to com- pute a list of domain names. The bot attempts to con- tact them in order until one successfully resolves to an IP address and the corresponding server provides a valid response. The bot then treats that host as genuine until the next round of domain generation. Domain flux is increasingly popular among botnet authors; the Kraken/Bobax and Srizbi bots and, more recently, the Conficker worm used similar mechanisms. By reverse engineering the domain generation algorithm, it’s possible to predict the domains the bots will attempt to contact. Torpig’s DGA relies on the current date and a nu- merical parameter. The algorithm first computes a “weekly” domain name—call it dw—that depends on the current week and year but is independent of the current day. (In other words, it remains constant for the entire week.) The bot then appends TLDs to the weekly domain name, generating domains such as dw.com, dw.net, and dw.biz. If attempts to reach its C&C server at those domains fail, Torpig computes Figure 2. A man-in-the-browser phishing attack. Not only does the page have a “daily” domain, say, dd, which also depends on the the same style as the original webpage, but the URL correctly points to the current day.